I’ve previously posted info on the Verticalscope breach affecting 45 million. But I never posted their breach announcement. As I was just reviewing it, I noticed their response to the breach with respect to new password requirements. I thought it was a bit different, and should be mentioned here.
From the What We Are Doing part of their statement:
We are in the process of invalidating passwords of all VerticalScope user accounts. We have posted a site security notification on each site updating users on the potential risk to certain accounts, the password reset and steps we are implementing to improve security. We are in the process of implementing stronger password rules (passwords now require a minimum of 10+ characters and a mixture of upper- and lower-case letters, numbers and symbols) along with automated account password expiries to encourage more frequent password changes. We will remind our users to use good password practices (not using the same password for multiple online accounts and using unique strong passwords). We are in the process of implementing additional safeguards to detect, alert and mitigate any future brute force attempts, and have notified our third party vendors that interact with our various forum API’s of the February breach to allow their own security teams to investigate. We are continuing our investigation and will be collecting information to provide to the appropriate law enforcement authorities.
VerticalScope is taking steps to strengthen account security. We were already using encrypted passwords and salted hashes to store passwords, and our new password controls are intended to further strengthen user security. We are taking steps to investigate and test new encryption and security technologies to further protect our users.
“along with automated account password expiries”
40 years ago … 40 years ! … I worked in an IBM shop that demanded password changes every month. People hated it, but it served its purpose.